The same researchers who are responsible for spotting the OSX/Linker malware have also found the CrescentCore malware. To avoid detection from antivirus software and other protection methods, the malware is hidden as a Flash Player installer. Initially, CrescentCore was found on a website that was claiming to be distributing free digital versions of new comic books. Researchers also stated, “A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.” Other sites that were distributing CrescentCore were free movies, TV shows, music, and eBook offers. The malware makes its way into a system by way of a DMG disk image file, disguised as an Adobe Flash Player updater tool. If opened and clicked, the trojan attempts to check if it is operating in a virtual machine. If it finds an antivirus or discovers it’s inside a VM environment it will make its way out and not continue the process. A second variant of the malware was also found during investigations and instead of the Flash Player updater, it installs Advanced Mac cleaner software of a faulty Safari browser extension. Each variant is signed with certificates that are assigned to the developer Sanela Lovice.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is